EFF, ACLU, and a coalition of nearly two-dozen civil liberties and advocacy organizations and a union representative are urging the Uniform Law Commission (ULC) to vote down dangerous model employee and student privacy legislation.

The bill, the Employee and Student Online Privacy Protection Act (ESOPPA), is ostensibly aimed at protecting employee and student privacy. But its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide. As our joint letter explains, ESOPPA will result in only further invasions of student and employee privacy.

The ULC is a nonpartisan organization dedicated to researching, drafting, and promoting the enactment of uniform state laws, which it drafts and circulates as “models.” The ULC will vote on ESOPPA on July 11 at its annual meeting, and if it passes, the ULC will circulate the bill to legislators across the country in the hope of uniform adoption in all fifty states. But ESOPPA falls far short of its goal and does not live up to the prevailing standard for protecting social media privacy currently being enacted by the states and as required by the U.S. Constitution.

Social media accounts include vast quantities of sensitive personal information. As the U.S. Supreme Court made clear in Riley v. California, searches of digital devices are grave invasions of personal privacy in ways that physical searches could never be. Yet ESOPPA does next to nothing to prevent school administrators and employers—including public school employees and state officials—from coercing or requiring students and employees to turn over private, non-publicly available information from such accounts. The bill not only fails to comport with protections afforded to such sensitive personal communication under the Constitution, but the few protections it purports to provide are ripe for abuse and without measures to ensure accountability.

Furthermore, ESOPPA applies only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed.

That’s why we’re asking the ULC to either address ESOPPA’s deficiencies or reject the bill outright at its upcoming meeting. Other organizations, including the Foundation for Individual Rights in Education (FIRE), have also sent their own letter to the ULC opposing the current draft of ESOPPA.

You can read the full text of the letter below or access a PDF of the original letter here. Special thanks to all of our coalition partners, listed in full below.

As civil liberties groups, advocacy organizations, student and parent rights coalitions, and a union representative, we write to you today to express deep concern over the Employee and Student Online Privacy Protection Act (“ESOPPA”). We appreciate the ULC’s interest in protecting the privacy of employees and students alike, but the version of the bill submitted to the full ULC committee for approval at the upcoming annual meeting fails to accomplish that goal in light of its significant deficiencies. While it purports to protect both employees and students, its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide—doing next to nothing to prevent school administrators and employers from coercing or requiring students and employees to turn over highly sensitive social media account information. These provisions do not comport with the Fourth or Fifth Amendment, and will result in only further invasions of student and employee privacy.

We ask that you not adopt this bill until these issues have been adequately addressed. If these issues are not addressed, we urge you to reject the proposed bill in its entirety. Three of the bill’s provisions are most problematic:

First, the bill authorizes state employers and public educational institutions to require an employee or student to turn over information related to their social media account, including login information and social media content, based merely on “specific information about the student’s protected personal online account,” in order to (i) ensure compliance with, or investigate non-compliance with, federal or state law or an educational institution policy; or (ii) “to protect against . . . a threat to health or safety[.]”

The U.S. Supreme Court made clear in Riley v. California, 134 S. Ct. 2473 (2014), that searches involving technology and electronic devices are grave invasions of personal privacy in ways that physical searches could never be. That case involved cell phones, which the court recognized as especially important due to the many kinds of information they contain: “Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. . . . The term ‘cell phone’ is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone.” Id. at 2488–89. Social media accounts contain similarly vast amounts of personal information and implicate the very same concerns. Permitting government agents access to students’ and employees’ social media accounts under the vague terms of the current draft of ESOPPA does not comport with the level of protection afforded to such personal information under the Constitution.

Second, although the bill attempts to limit employers or educational institutions access by requiring that any such entity “reasonably attempts to limit its access to content relevant to the purpose justifying that access[,]” such a limit will prove hollow, as it is not technically or practically possible to segregate “relevant” from irrelevant content until all content is accessed. This provision, coupled with the overbroad grant of authority for employers and schools to compel or coerce employees and students to turn over social media account information, renders ESOPPA ripe for abuse by employers and education institutions alike. And the bill includes no measures to ensure accountability.

Third, the limited privacy protections that ESOPPA claims to provide for students have a glaring deficiency—the bill does not apply to most students. ESOPPA provides purported protections only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed. This is not a trivial concern. Students in secondary school and below use social media to learn about and discuss highly sensitive subjects, such as reproductive choices, sexual orientation, gender identity, and political perspectives. In many communities across this country, exposing a student’s perspective on such topics could not only be embarrassing, but it could also place the student’s safety—or even life—at risk. The only option ESOPPA leaves for non-college students who want privacy protection is to not use social media at all. This “option” would do tremendous damages to one of the most vibrant free speech platforms utilized by young people today. This is not acceptable.

We believe it is possible to create a bill that addresses the concerns raised in this letter, protects student and employee privacy, and grants educational institutions and employers the ability to procure social media account information when required or permitted under law, such as when investigating specific allegations of unlawful harassment in the workplace or specific allegations of unlawful bullying by a student or prospective student of another student. Indeed, the American Civil Liberties Union has worked closely with other advocacy organizations and Internet companies alike on its own model legislation, a version of which was enacted in four states this past legislative session alone. Those laws represent the prevailing standard for protecting social media privacy in 2016. ESOPPA, which is coming out of a three-year planning and drafting process, is already showing its age—and it has not even been voted on by the ULC yet. Unless it is the ULC’s objective to roll back the standard for protecting social media privacy currently being enacted by the states, ESOPPA must be significantly revised before it is adopted. The signatories of this letter fully intend to continue our successful efforts to have true social media privacy bills enacted in the states, and if that requires us to oppose ESOPPA, we certainly will.

In order to ensure that ESOPPA does not impermissibly infringe on employees’ and students’ rights, and to enable us to work with rather than against each other on this important issue, we urge the full ULC Committee to either address these concerns or to reject the bill outright.

Related Updates

The full weight of U.S. policing has descended upon protesters across the country as people take to the streets to denounce the police killings of Breonna Taylor, George Floyd, and countless others who have been subjected to police violence. Along with riot shields, tear gas, and other crowd control...

Your phone is your life. It’s where you communicate, get your news, take pictures and videos of your loved ones, relax and play games, and find a significant other. It can track your health, give you directions, remind you of events, and much more. It’s an incredibly helpful tool, but...

EFF has joined a broad coalition of civil liberties, civil rights, and labor advocates to oppose A.B. 2261, which threatens to normalize the increased use of face surveillance of Californians where they live and work. Our allies include the ACLU of California, Oakland Privacy, the California Employment Lawyers Association, Service...

In the wake of nationwide protests against the police killings of George Floyd and Breonna Taylor, we urge protestors to stay safe, both physically and digitally. Our Surveillance Self Defense (SSD) Guide on attending a protest offers practical tips on how to maintain your privacy and minimize your digital...

With states beginning to ease shelter-in-place restrictions, the conversation on COVID-19 has turned to questions of when and how we can return to work, take kids to school, or plan air travel.Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in...

When it comes to surveillance of our online lives, Internet service providers (ISPs) are some of the worst offenders. Last year, the state of Maine passed a law targeted at the harms ISPs do to their customers when they use and sell their personal information. Now that law is...

COVID-19, and containment efforts that rely on personal data, are shining a spotlight on a longstanding problem: our nation’s lack of sufficient laws to protect data privacy. Two bills before Congress attempt to solve this problem as to COVID-19 data. One is a good start that needs improvements. The other...

In a landmark decision, the German Constitutional Court has ruled that mass surveillance of telecommunications outside of Germany conducted on foreign nationals is unconstitutional. Thanks to the chief legal counsel, Gesellschaft für Freiheitsrechte (GFF), this a major victory for global civil liberties, but especially those that live and...